Re: detecting network crowd surges

Could be botnets, zombies, malware, .etc. We're observing
on port 80 & 443 as well. For those, the threshold needs to
be a
bit higher than non-web stuff because by chance, you'll get
a certain
percentage of people happening to go to MySpace, Google,
CNN, .etc.

Also, if one were to send out an SSH worm, then SSH could be
ideal communication vector.

The "common" way to control botnets seems to be IRC channels


I wonder, though, is this how real botnets are controlled?

Surely it would be fair easier, and less obtrusive, to
control your botnet via a updated http site. like
http://<mikeiscool>/instructions.txt. Every day the bots
would log on and receive their latest orders. Makes sense
to hide in http rather then risk a protocol that might be
blocked, doesn't it?

-- mic

Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to
to learn more.